tag:www.schneier.com,2015:/blog//2/tag:www.schneier.com,2009:/blog//2.3117-2015-05-13T02:58:13ZComments for Is Antivirus Dead?A blog covering security and security technology.Movable Typetag:www.schneier.com,2009:/blog//2.3117-comment:466205Comment from Karsten on 2010-10-01Karsten
Unfortunately Antivirus in not dead even with all its shortcomings.

As long as applications can use up 100% CPU time and eat away all of the available RAM, eventually forcing the machine (OS) into an unresponsive state and without the tools to monitor all activity and an application level based privilege system using certificates for all services offered by the OS, the need for blacklisting will continue to exist.

Whitelisting is a nice idea but it doesn't work in many cases, and the "trusted" applications/files are still often vulnerable (like Acrobat Reader, Flash Player, MS Office.....). Microsoft improved the security of Windows greatly over the last years, but it's no use if the rest of the market doesn't react.

Also sorry for my English.

]]>
2010-10-01T21:05:06Z2010-10-01T21:05:06Ztag:www.schneier.com,2009:/blog//2.3117-comment:461166Comment from Jamie on 2010-09-14Jamie
Great article.
I'm one of those non-IT people, and after reading all the posts, I have just one question. If the IT people can't decide,how can I decide ? Can anyone recommend an AV software, or combination, to help protect us from the "bad guys" out there....]]>
2010-09-14T20:08:02Z2010-09-14T20:08:02Ztag:www.schneier.com,2009:/blog//2.3117-comment:432649Comment from Pierre on 2010-04-29Pierrehttp://gwan.ch/
Even the venerable "The Economist" claimed recently that AV vendors are only exploiting end-users' ignorance to sell their stuff (at a premium).

But, given the kind of people (no less than secret service agents) involved in the AV business, one might argue that the prospect of having a good excuse to index and scan people's disks and call home daily (to get incremental updates) is not something that they want to stop doing any time soon.

Hence, maybe the extraordinary long life of this completely pointless "technology" created by another "security expert" (did you notice that Windows is the only virus playground?).

This is all about "business opportunities" my friends. Nothing else.

]]>
2010-04-29T12:20:09Z2010-04-29T12:20:09Ztag:www.schneier.com,2009:/blog//2.3117-comment:399167Comment from Andy Whittal on 2009-11-14Andy Whittalhttp://www.toptenservices.net/
I somewhat agree with you considering the number of new viruses coming out daily. It is almost impossible to keep virus definitions updated to minutes and seconds. There is always a chance of picking up a new virus that your security cannot detect. But don't you think that an average computer user should be educated not to download whatever comes across. I see so many people downloading those fish tank screen savers and downloading all sorts of funny executable files off the internet, for them internet is a safe place where they can download anything without paying its price.
Until such novice computer users stop clicking "punch the monkey" and win free goodies, the virus creators won't stop doing all the evil. If an average computer user becomes a little more smart, bad guys won't find much success in all their evil doing. Just my opinion.
Andy.]]>
2009-11-14T17:27:09Z2009-11-14T17:27:09Ztag:www.schneier.com,2009:/blog//2.3117-comment:398927Comment from HJohn on 2009-11-12HJohn
@Jack: "AV is not THE solution. If AV coupled with a correctly set up Windows (not running in Admin and with Autorun permanently turned off), it can be as safe as many other OS, differs by only how elegant it handles privilege elevations and others."
_________

Good post.

I sort of view it like my wife's cancer treatments. She is on medication to prevent/alleviate some of the side effects of the cancer. However, the medication is not a cure for cancer, and the cure for her cancer (surgery) does not protect her from the lingering affects of the illness.

This is really how I feel about AV. The computer should be locked down best it can be to mitigate the damage that can be done, be it viruses, zero day exploits, attackers, etc. However, just because a system is locked down doesn't mean it is beyond damage, so deploying antivirus, antispyware, firewalls, patches, etc., are still sensible actions.

Also, considering the average user probably does not know how to do any one solution with expertise, layers of protection are more effective overall. For an expert, one or two solutions briliantly configured may be great; however, for the average user, running several protections with mediocre or even default configuration may be more realistic.

Please note I'm not saying default and mediocre configurations are desirable, I'm saying we must consider the skill set of the users.

]]>
2009-11-12T16:32:29Z2009-11-12T16:32:29Ztag:www.schneier.com,2009:/blog//2.3117-comment:398926Comment from Mzazi on 2009-11-12Mzazi
Pls tell me how I can kill recycler for good, it keeps coming back.]]>
2009-11-12T16:11:48Z2009-11-12T16:11:48Ztag:www.schneier.com,2009:/blog//2.3117-comment:398917Comment from Jack on 2009-11-12Jack
Hi all,

Some one has correctly pointed out:
"What does make a difference is,

1, How secure the OS is "out of the box".
2, How secure the user choses to set the OS up.
3, what the user choses to do with the OS."

AV as Bruce said is not THE solution. If AV coupled with a correctly set up Windows (not running in Admin and with Autorun permanently turned off), it can be as safe as many other OS, differs by only how elegant it handles privilege elevations and others. All my machines run in this manner.

What makes Windows, particularly XP, so bad in the eyes of security experts lie squarely with Microsoft. The enforcement of file system security was introduced with Windows 2000 and hence MS should have been shouting at the development communities to get on board.

Not only that: It did not provide any form of debug tools to alert developers of security violation or requiring too much privilege. As a result, I would say 90% of the developers are ignorant of the need to use the least privilege principle and to understand the OS's security policy. Most just turn them off by running in Admin. I actually had a length debate in a well-known (not MS) development company's forum educating their developers to do so.

As a result as one commented that most games need to run in Admin mode but in fact do not. That is a sign of totally sloppy and ignorant programming condoned by their equally ignorant management.

The spreading of Conflicker via USB is nothing new. In the days of floppy disk, this was a well known trick to put some malicious boot code in a floppy disk waiting for someone to leave it in the drive for the next boot. How can Microsoft be so ignorant of this danger and blatantly making out this to be a cool feature. Now with the helping hand of Microsoft, the attacker does not even need to wait for a reboot!

If you are a Conflicker developer, good on you to exploit Microsoft's stupidity. Apparently now Win7 has that 'feature' turned off. Finally after all that time which they could have easily issued a registry setting to turn it right off as a security update.

Recently I was operating a machine AVG and helping to eradicate trojans and the downloader literally ran amok under the nose of AVG by infecting my USB drive. Fortunately, it will not do much damaged in my locked down environment.

Hence in addition to AV, tighten your OS security to the max as most trojans/virus will not be able to take root in such an environment.

]]>
2009-11-12T14:30:42Z2009-11-12T14:30:42Ztag:www.schneier.com,2009:/blog//2.3117-comment:398903Comment from BF Skinner on 2009-11-12BF Skinner
@berkutturan "You would choose the one that is least vulnerable, wouldn't you?"

no. It's not just our own box. I would choose the one(s) that are most suited to the application being developed. There are technologies that are mature on one OS but not another. Clients need function.

Security costs are a factor but what if the decision to go ubuntu means having to recruit and hire, train and maintain personnel (users and admins) who know how to run it in a large enviornment?

One client I worked at spent 9 months trying to find a suitable *nix admin to come work at their out of the way site.

Another time I was at a MSCSE certification class and a bunch of people in it with me were sweating, unhappy and obviously under the gun. They weren't having fun with technology. I asked them about it and they told me that their company had just switched from Novell to Windows. They were being "retrained" in a certificaton class. Further they were told that they passed their tests or they were fired the next week.

]]>
2009-11-12T12:59:20Z2009-11-12T12:59:20Ztag:www.schneier.com,2009:/blog//2.3117-comment:398875Comment from Eric on 2009-11-11Eric
Very interesting comments... There is Software Restriction Policies built into windows, for the people wondering "What other application whitelisting choices are there?". Configured with limited user privileges is a strong configuration. Using the the default directory rules with a default deny policy is pretty powerful starting point in creating a strong environment.]]>
2009-11-12T05:22:21Z2009-11-12T05:22:21Ztag:www.schneier.com,2009:/blog//2.3117-comment:398839Comment from berkutturan on 2009-11-11berkutturan
By the way, Bruce is doing something right. How could you sell security to someone secure? Windows is right for him. Lots of threats, viruses, malware, unsecure software supply channels. Sorry for my last comment, anyway. Its just business.]]>
2009-11-11T21:29:37Z2009-11-11T21:29:37Ztag:www.schneier.com,2009:/blog//2.3117-comment:398835Comment from berkutturan on 2009-11-11berkutturan
I also afraid of viruses and decided to use anti-virus software on my servers and clients. Then I noticed that there are no viruses in wild for Ubuntu.

Come on Bruce. Its you the vulnerable. Use anti-viruses that slows down your computer. Use anti-malware. Use anti-hijackers. Its dead end.

You would choose the one that is least vulnerable, wouldn't you? We have a saying that do what your teacher says, don't what he does.

]]>
2009-11-11T21:12:14Z2009-11-11T21:12:14Ztag:www.schneier.com,2009:/blog//2.3117-comment:398828Comment from JD Bertron on 2009-11-11JD Bertron
This is why zero-day detection is important. In fact, it's the only detection that's needed. Because it works even for a unknown crypto-virus.
ThreatFire
]]>
2009-11-11T20:24:13Z2009-11-11T20:24:13Ztag:www.schneier.com,2009:/blog//2.3117-comment:398792Comment from Pat Cahalan on 2009-11-11Pat Cahalanhttp://padraic2112.wordpress.com
I take Marcus's approach on my personal machine (my laptop), and Bruce's approach on everything else, including my other personal machine that I share with the famdambily. My laptop is mostly trusted. Nothing else is regarded as particularly trustworthy.

Of course, I don't bank online, or store all my financials on untrusted machines, so there's that.

]]>
2009-11-11T17:16:50Z2009-11-11T17:16:50Ztag:www.schneier.com,2009:/blog//2.3117-comment:398790Comment from mashiara on 2009-11-11mashiara
None of the large AV companies have used purely signature based engines since ages ago.

F-Secure (=FSC, full disclosure: I worked for them 8 years ago) for example has had purely heuristic engines (using signatures only to remove false positives) alongside more traditional ones for 10 years.

Note that there are many kinds of heuristics, the "traditional" is to analyze the executable and look for potentially bad behaviour, another (that Bruce often has called for) is to basically attach as (like debuggers do) between the program and rest of the system and analyse the program as it runs (the true "hinkyness" analyzer) and if it tries to do bad things prevent and/or ask user (these are policy decisions). At least FSC has been doing things like this also for some years now (and yes: it's quite heavy on the system).

I understand that Bruce is cryptographer and thus AV isn't really his field, but I'd like that people did a little more reseach on how things are actually done these days before complaining that everyone still uses static signatures for detection.

And realtime (regardless of the scanning engines) AV of course always affects performance, on multi-core machines and standard office workloads it's just not that noticeable since the other core(s) would be idling anyway.

]]>
2009-11-11T16:53:58Z2009-11-11T16:53:58Ztag:www.schneier.com,2009:/blog//2.3117-comment:398786Comment from UACForMe on 2009-11-11UACForMe
@David
"Up through XP, there was an expectation that users would run with full admin privileges."

Unfortunately, this is still the case with lots of business and educational software, and is still quite common with consumer software, especially games.

For example, just about any current/popular computer game requires the use of an admin-level user account. Making matters worse, just about all games these days _require_ Internet access, even for solo, non-multi-player gaming (i.e. CoD4MW2), with the worst offenders (i.e. Blizzard) trying to setup torrents for patches.

To try to keep some sense of security, my kids computers are connected to the Internet through a screened subnet, where the router/firewall whitelists Internet access to only those sites required by the games to function. This prevents the games (or any other software) from accessing "who knows what" on the Internet, and also prevents use of torrents (many games still have some form of fall-back to a real server to download patches).

One of my pet-peeves though is the use of multiple different root domains by the same game company which makes whitelisting unneccesarily more difficult/complex. For example, the recent CoD4MW2 game requires the use of Steam (even for solo offline play), where the main site is steam.com (simple to whitelist). However, is also uses steampowered.com, steamcommunity.com and a growing list of other domains I am finding through the blocked access alerts in the firewall logs. There is absolutely no reason these couldn't have been setup as subdomains off the main domain (i.e. community.steam.com).

Unfortunately, this problem of "too many domains" is not unique to game companies, as many businesses don't seem to "get it" or just don't have IT "architects" smart enough to figure out how to utilize a common root domain. Although some are starting to "get it".

Besides, an inconvenience for whitelisting, this is also a serious security problem which can lead to phishing, since users can't easily identify a company's website when several different root domains are used.

I'll assume you missed my response (at November 10, 2009 9:45 AM) to your previous comment. Your initial comment implied that AV was always needed, regardless of configuration or other safety precautions taken. I assert that it is trivial to create a situation in which AV is not worth the effort, and that such situations indicate that you statement ("AV is always needed") is untrue.

If you'd prefer getting yourself involved in a flamewar over the percieved merits and limitations of various operating systems, then I will leave you to that...

]]>
2009-11-11T15:31:34Z2009-11-11T15:31:34Ztag:www.schneier.com,2009:/blog//2.3117-comment:398766Comment from David on 2009-11-11David
@Brandioch: No set of whitelists is ever going to be good enough. For example, I don't know what goes on in the Tuesday World of Warcraft updates. Presumably files change. If I play WoW, I want all those changes, but I really don't think there's any way Blizzard is going to supply hashes to AV vendors far enough in advance to be useful.

Moreover, it would have to whitelist all the stupid little things people download now (and get infected from), because they're going to download a lot of them anyway. In order to stop them, they need software that will be pretty accurate in filtering them. If such protection flags too many of those as potentially harmful, the protection gets either turned off or ignored.

I don't see it happening in a home environment, and you can already prevent a lot of similar dangers in a work environment.

]]>
2009-11-11T14:45:40Z2009-11-11T14:45:40Ztag:www.schneier.com,2009:/blog//2.3117-comment:398758Comment from Bithead on 2009-11-11Bithead
>and you won't notice any performance degradation at all.

There is a difference in the operating enviornment and level of control applied between backoffice servers established at a real estate office and ones supporting mission criticals supervised by administrators.

I won't talk to twitter 'cause I don't know how they'er configured. Got a feeling that they are exploitable.

My observation isn't directed at the OS but the operators. My belief and experience has been that any OS can be configured to be hard to crack in hostile or protected enviornment, including Windows NT4. Because I've done it. But it takes effort. During the Nimda/Code red summer when worms ran riot through a client's enterprise. They had people reimaging their servers that were found and compromised by worms before their initial reboot was finished.

Our facility (with thousands of windows servers, workstations, webservers, and SQLServers at all version levels) lost _A_ workstation to the worm. That was due to the AV. Is AV sufficient? No. I won't argue that it is. But it is necessary. After we installed AV products on the *nix servers we found we were taking 2 to 3 pieces of malicious code off the *nix enviornment a month. Enough that once shown the *nix admins agreed that it was necessary.

Smug *nix admin to me. "The only way to know your craft is to handbuild all your systems. This is easy with *nix. System Imaging with windows makes for stupid SA's"
Me. "Oh good. Wait. Look at this chart I've made from the IG report. It shows that our critical/high technical vulnerabilities 100% are in the handbuild *nix enviornment which comprise 20% of our production enviornment. And these are different vulnerabilities on each server... While our stupid image windows (80%) enviornment has moderate and low vulnerabilities that are the same problem across platforms."
*nixadmin "Oh."

Smug *nix admin to me. "We can configure the OS in any way we want loading only those packages needed."
Me "Good. that meets our least service control. Oh wait. Why does everyone of your solaris servers run bind?"
*nix admin "oh well that's our default build. We do that for all machines."
Me "Why. Is every one of your servers serving DNS?"
*nix admin "Well no."
Me "Take bind off"
*nix admin "We don't know what'll happen. It'll take months of testing"
Me "Take it off, carefully"
Since this was BIND8 it was kinda important. Oh, and this happened last year.

Smug *nix admin "We don't have to trust the vendor. We can look at all our code and compile it and know that there's nothing malicious in it."
Me "Excellent. Wait. Why did you download and install this compromised Sendmail package from Sendmail.org"
*nix admin "we did'nt know it was compromised because we didn't check the MD5 hash against the downloaded package."
Me "So you're not even doing the simple task of checking the md5 hashs and you expect us to believe your tracing out thousands of lines of code and checking the response of every function? By the way. Are you a programmer?"
*nix admin "No."
Result of the afteraction of an admin installing the trojaned Sendmail package in an mission critical enterprise app.

Just because you can do a thing doesn't mean the admins do it. But hey...they know best right? My observation here is not about the technology but on the unjustified belief that you'll hear in a constant singsong if you listen..that *nix is perfect, windows sux. That's religious bigotry, not engineering, and yes--unjustified. Look @jeff and @nostromo's reactions. Those are emotional reactions. It leads to arrogance and a 'why bother' mindset that has made our current set of onerous and often stupid FiSMA requirements necessary.

"Unix has no more locks on it's doors than modern versions of Windows, so your analogy fails, and in many cases Windows is better than unix, but suffers because of it's ubiquitous nature."

Ah the analogy does not fail ;)

The number of locks alone is not enough to secure a door.

Each lock must be sufficiently strong to do the required job. If you have ten weak locks and I have one strong lock I might be more secure.

Then of course there is the "brand issue" you refer to. As a lock picker I'm going to practice on the most common type of lock as that gives me the best oportunity advantage.

That's the trouble with an analogy people have different perspectives 8)

More seriously the various MS OS's do have security features as do the various flavours of *nix.

You could argue the merits of these various features till you get old and grey, as in the main they make little or no difference.

What does make a difference is,

1, How secure the OS is "out of the box".
2, How secure the user choses to set the OS up.
3, what the user choses to do with the OS.

The main trend of the argument here is MS have in the past chosen usability out of the box over security.

And that overall the users of MS OS's tend to be less technicaly savy than those who use *nix.

And that many users of MS OS's are more reckless in what they do with their computers than *nix users.

When you then compare the market share of MS OS's to *nix OS's the number of non savy MS OS users is several times that of the total of *nix users.

Acording to the "Myths and Legands" of computing the original architect of MS's New Technology Dave Cutler (lead on DECs VMS & RSX11) went to MS in the late 1980's supposedly promising to make a "better unix than unix". Work officialy started in Nov 88 to forfill MS's commitment to IBM over OS/2.

Unfortunatly MS Sales and Marketing had other ideas, MS Windoze 3.1 on top of MesS DrOS had suddenly taken off and rather than go down the original OS/2 2 API route for NT MS switched to Win 3 API's. The rest they say is history...

]]>
2009-11-11T12:06:30Z2009-11-11T12:06:30Ztag:www.schneier.com,2009:/blog//2.3117-comment:398753Comment from lk on 2009-11-11lk
s/has/had/
Sorry for sounding like a lolcat.
]]>
2009-11-11T11:28:22Z2009-11-11T11:28:22Ztag:www.schneier.com,2009:/blog//2.3117-comment:398752Comment from lk on 2009-11-11lk
To all those "I never has antivirus and never had any viruses". Please run the antivirus already!

I'm sick and tired of getting spam silently sent from your zombiefied computers.

Viruses don't work like in movies from the '80s. Your screen melt or files disappear.

You won't ever see when your computer is infected. Viruses these days are trying to be as silent as they can to remain undetected for as long as possible.

]]>
2009-11-11T11:27:14Z2009-11-11T11:27:14Ztag:www.schneier.com,2009:/blog//2.3117-comment:398750Comment from James Gentile on 2009-11-11James Gentile
"People who use locks on their doors need to get past their unjustified smugness...It demonstrates an inexperienced, uneducated mind. Any lock is subject to lockpicking."

Unix has no more locks on it's doors than modern versions of Windows, so your analogy fails, and in many cases Windows is better than unix, but suffers because of it's ubiquitous nature.

Actually MS free Antivirus seems to even have a reasonably good detection performance and almost no system impact (at least from my observation on my netbook).
And it does not try to upsale you to a "better" version like AVG ec.

]]>
2009-11-11T08:33:08Z2009-11-11T08:33:08Ztag:www.schneier.com,2009:/blog//2.3117-comment:398741Comment from Nick S. on 2009-11-10Nick S.
For those of you who default to running as administrator and then pick-and-choose apps to run with less privileges, why not just run as a regular user account? 95% of any maintenance just requires a right-click, Run As... The only thing that doesn't work for is a couple of things in the control panel that require a little extra work with rundll32. I ran this setup on Windows 2000 for YEARS without a problem.]]>
2009-11-11T05:37:17Z2009-11-11T05:37:17Ztag:www.schneier.com,2009:/blog//2.3117-comment:398739Comment from Bruce Barnett on 2009-11-10Bruce Barnett
I'm surprised that no one has mentioned that Microsoft just released a free anti-virus program: http://www.microsoft.com/Security_Essentials/
]]>
2009-11-11T04:07:38Z2009-11-11T04:07:38Ztag:www.schneier.com,2009:/blog//2.3117-comment:398731Comment from Stefan W. on 2009-11-10Stefan W.http://home.arcor.de/hirnstrom
I'm running linux as a desktop system for over 10 years now, nearly full time, without AV and without malware.

Slaper and Scaper where worms, not virii, and infected apache, which isn't a typical desktop app, and since then 7 years have past. :)

Running AV-soft with an empty signature file does not make too much sense.

Email: Well - There are only few people who would send me mails with attachment - beside spam, and of course I don't forward spam. I would forward a link to a funny page, but if you run a MS-system, you have to protect yourself.

"As the saying goes, "You can fool some of the people all of the time..." which is why you need AV on corporate systems."

You did not compleat the saying,

"... and all of the people some of the time."

As was once said

"The only fish that you cannot catch is one that does not eat, you just need the right bait."

From the AV perspective if you have a clean machine that you never put bytes on from other media, where the bytes might have originated from the outside world then you may not need AV software.

But if it where not for the mess AV software makes of MS OS's I would say "load it and run it when required".

I could not in honesty recomend any AV software that "integrates" it's self with an MS OS as I've yet to find one you can fully remove without consiquences.

Which is why I connect to the outside world via a "boot from CD" Linux distro and use a USB memory key to put downloaded data on. This I then scan for malware on another Linux box, before putting it any where near any of the MS OS machines I have to use from time to time.

It's not perfect as malware that has no sig can still get through.

Each of my MS OS machines is dual boot with a linux partition with the appropriate tools on I scan the files on the MS OS partition and see if any have been changed via an MD5 checksum scan. If a file is new or has changed with good reason I update the checksum file. If not I restor from backup or wipe it.

I also have utilities that zero all the slack space and zero and remove temp files etc.

It's a bit belt and braces but it has once caught a virus file that got through the AV scanner as it was "to new" to have a sig. As an aside it was a researcher doing something similar to this that led to him discovering the Sony Root Kit. Likewise do not trust "instalation media" if you think back the original "word macro virus" came out on a Microsoft update CD...

But like a commenter above I'm starting to use virtual snapshots for running MS OS's virtually. This is on a high end Linux box and when I have some time I will investigate using remote desktops on a diskless client with it. If it works OK then I'll build another "Safe Server" just for the fun of it ;)

Another little trick for home users who's ISP is not kind enough to malware scan your EMails for you is leave your Email on the ISP server.

Then with linux and an appropriate script pull down a copy of any "unread" messages and scan them. If a message fails delete it off of the server. If it's OK mark it as read on the server, or forward it to a private mail server. You can do similar with "spam".

Then "only when you have to" connect to the ISP mail server with your MS OS / MUA, you can read the "read messages" but not the unread ones as they have not yet been scaned.

]]>
2009-11-11T00:08:44Z2009-11-11T00:08:44Ztag:www.schneier.com,2009:/blog//2.3117-comment:398705Comment from sad on 2009-11-10sad
Whitelisting is nice, but it seems to be an enterprisey thing. For Windows, it's only available in the Profressional line of products. Third-party whitelisting seems to also target the enterprise. Are there any consumer-level application-whitelisting vendors out there?]]>
2009-11-10T22:54:57Z2009-11-10T22:54:57Ztag:www.schneier.com,2009:/blog//2.3117-comment:398701Comment from David on 2009-11-10David
@HJohn: Microsoft Windows is hampered by its legacy of backward compatibility extending to when there was no such thing as user privileges, and the single user simply controlled the whole computer. This is in contrast to the Unix tradition of using user accounts for everything but system administration tasks. Apple was willing to dump a lot of backward compatibility when moving from the traditional MacOS to MacOSX, but Microsoft wasn't.

Up through XP, there was an expectation that users would run with full admin privileges. Many software developers just used admin accounts, and didn't test on more limited accounts. This was less true for business software, but was pretty much standard in personal software. One of the purposes of UAC was to push developers into making their software work on limited accounts, but that came out with Vista, recently and as part of a very unpopular OS.

]]>
2009-11-10T21:32:39Z2009-11-10T21:32:39Ztag:www.schneier.com,2009:/blog//2.3117-comment:398688Comment from PackagedBlue on 2009-11-10PackagedBlue
Is antivirus dead? Maybe, if you buy into the claims of Trusted Computing.

]]>
2009-11-10T20:06:53Z2009-11-10T20:06:53Ztag:www.schneier.com,2009:/blog//2.3117-comment:398684Comment from HJohn on 2009-11-10HJohn
I find this an interesting converse to the previous blog post on "Laissez-Faire Access Control." The points on both sides of both AV and AC topics are "permit the good" vs "detect the bad."

I think both are necessary, since we can never get either one exactly right. Trying to do either exclusively can not only too difficult, but destructive.

"Most users aren't IT pros, so when they set themselves up as admin everything works."

I think it is worse than that. Most users don't even understand that there are different types of accounts. Microsoft's goal is supposedly to get everyone onto running as a standard user by default. It will be interesting to see how they pull that one off.

]]>
2009-11-10T19:02:49Z2009-11-10T19:02:49Ztag:www.schneier.com,2009:/blog//2.3117-comment:398681Comment from solution on 2009-11-10solution
OpenBSD! At least the attitude is correct]]>
2009-11-10T18:59:01Z2009-11-10T18:59:01Ztag:www.schneier.com,2009:/blog//2.3117-comment:398680Comment from TS on 2009-11-10TS
@sooth sayer

In 25 years of computing, I have never unintentionally infected any of my machines. Some good friends who are also IT types have never infected themselves. Not much of a problem when you know what you're doing.

On the other hand, with 8000 users, there is a large number who probably couldn't tell you what a computer virus is in the first place. Who don't give a second thought to opening an attachment from an unknown sender. Who just aren't aware that there is a risk.

Remember "I Love You"? There were a lot of people tricked into opening that one. And "Anna Kournikova"? I remember people asking if we could unblock it for them. Then there was Klez, which spoofed the sender so the old "don't open messages from people you don't know" wasn't quite as effective.

As the saying goes, "You can fool some of the people all of the time..." which is why you need AV on corporate systems.

]]>
2009-11-10T18:50:17Z2009-11-10T18:50:17Ztag:www.schneier.com,2009:/blog//2.3117-comment:398677Comment from HJohn on 2009-11-10HJohn
@Richard: "Running as a non-Admin in XP was a bit of a hassle... Admittedly I'm an IT Pro so I'm not the kind of user to click on something malicious but running as non-Admin also gives you a great deal of reassurance."
____________

I think you nailed they key problem. Most users aren't IT pros, so when they set themselves up as admin everything works. Functionality is why the purchaed the thing in the first place.

]]>
2009-11-10T18:30:15Z2009-11-10T18:30:15Ztag:www.schneier.com,2009:/blog//2.3117-comment:398675Comment from Richard on 2009-11-10Richard
I have been running XP and now Windows 7 on my home PC and Laptop plus my work PC as a non-Admin for over 4 years.

I've also not had any AV software installed/running on any of them the whole time.

Running as a non-Admin in XP was a bit of a hassle, but in Windows 7 the experience is great.

Admittedly I'm an IT Pro so I'm not the kind of user to click on something malicious but running as non-Admin also gives you a great deal of reassurance.

]]>
2009-11-10T18:26:15Z2009-11-10T18:26:15Ztag:www.schneier.com,2009:/blog//2.3117-comment:398673Comment from Mark R on 2009-11-10Mark R
White listing can be very effective, but I think it's incomplete without also defining what your trusted applications are entitled to do (a la SELinux). Malware doesn't necessarily have to change the executables themselves to infect your system.]]>
2009-11-10T18:08:27Z2009-11-10T18:08:27Ztag:www.schneier.com,2009:/blog//2.3117-comment:398672Comment from Alfonso Maruccia on 2009-11-10Alfonso Marucciahttp://kingofgng.com/eng/
Good point, Bruce, even though I'd recommend Avira AntiVir (both the free and commercial version) instead of AVG for its better detection capabilities (as stated by the AV-Comparatives folks)....]]>
2009-11-10T18:00:56Z2009-11-10T18:00:56Ztag:www.schneier.com,2009:/blog//2.3117-comment:398671Comment from Eugen Bacic on 2009-11-10Eugen Bacic
I recall my research into viruses and anti-virus software back in the 80s. At the time we determined that anti-virus was not an acceptable long-term solution, especially as connectivity increased, etc.

We examined a lot of solutions in my research lab and we determined that control flow was the most likely solution to be long-term viable. Unfortunately, it was fairly slow on era hardware. We did build control flow and execution flow solutions against a number of Unix variants to good effect. Some of the research was published but because of major impact on performance it was deemed inappropriate to control malware via control/execution flows at that time.

Perhaps now, with much faster hardware, it may well be time to re-examine controlling malware by providing informed flow controls within operating systems. I know other research has looked at controlling flow via various methods and some have even determined efficient ways of learning what's "normal" within a given system.

Although no solution would be perfect, the advent of zero-day attacks and the sheer interconnectivity of everything means we need to look into more complex solutions for the malware problem that are predictive in nature.

For those interested they should look back into research done on information flow, execution control, etc. Though much of that work was done in the 80s and early 90s, I think it is now more relevant than ever.

I may be computer literate enough to avoid nearly all malware, most of the other users of my home computer aren't - and at least one needs admin access to run what (to them) are basic programs.

So anti-virus software allows me to identify a good percentage of the problems (and they give me enough information that I can then recover from an attack). Similarly, the firewall I've installed (I've found windows firewall to be nearly useless) allows me to find suspicious executables and prevent them from emitting or downloading while I'm verifying what they are.

I assume you mean your remote access via Citrix is locked down by IP address, not MAC address. MAC addresses can only be checked locally, or on a LAN and are absurdly trivial to change.

Saying you are secure because you do MAC address filtering is like saying you are secure because you log into your remote system with telnet but your password is strong.

]]>
2009-11-10T17:05:01Z2009-11-10T17:05:01Ztag:www.schneier.com,2009:/blog//2.3117-comment:398663Comment from Skeptical Fanboy on 2009-11-10Skeptical Fanboy
I think whitelisting can be a good thing, but I think it needs to be federated in order to reduce the burden.

In this age of Web 2.0-style crowdsourcing, I think we need a Slashdot-style rating, karma, and meta-moderation system: Allow anyone to rate the trustworthiness of a given executable, but take their opinions lightly until they've developed a history of (A) correctly identifying good and bad code; and (B) doing so relatively early in the lifecycle of a piece of code.

You can also give trusted software publishers the ability to vouch for their code in some way. Perhaps you'd simply whitelist code that was signed, and all other code would get a "trustworthiness" score assigned by the user community.

Obviously, malware authors and others will attempt to game the system, so you'll need a karma system and meta-moderation to keep things from getting too out of hand.

I'm not familiar with either Bit9 Parity or Savant Protection, so perhaps they already do what I'm proposing, and they're still too clunky.

A quick check of their product pages seems to indicate they're primarily used by IT departments to centrally lock down applications. My proposal wouldn't take on the IT function of locking out harmless-but-undesirable applications. It would only handle the prevention of malware, thus making it much simpler from an end-user perspective.

I'm sure there are numerous flaws in my proposal, but I'm curious to see what others think about such a scheme.

]]>
2009-11-10T17:02:49Z2009-11-10T17:02:49Ztag:www.schneier.com,2009:/blog//2.3117-comment:398662Comment from Patrick G. on 2009-11-10Patrick G.
Additionally, an ever increasing number of applications on any PC use/require an internet connection, thereby exposing the Apps themselves to certain threats.

So keeping one's applications up-to-date is vital IMO, even with a virus scanner running in the background.

Sadly that requires more expertise and effort on most PCs, so finding applications that are as old as the OS installation itself is not uncommon.

To make up for Window's lack of a packet manager, I personally use Secunia's free Personal Software Inspector (PSI) on my PC (and the PCs I happen to fix). It's a really nifty tool to search for vulnerable versions of applications and plugins installed and it gives official download links, patch notes and so on for most standard popular applications and tools.

There are other programs that do the same trick, but Secunia's investing quite a bit into that one (and gathering anonymous data on the way!) and their App-/Version-Database is really extensive...

P.S.: I don't want to do advertising, so form your own opinion. There are reviews out there and comparisons, so be sure to check em and read the fine print before installing.

"Why, then, does AV lag so badly that signature recognition is still the standard state-of-the-art?"

Because there are no business drivers to make it anything but a signiture system.

If you designed a system that actually detected a virus by it's activites (ie hinkyness) then there would be little or no incentive to spend money with the AV companies next year.

As I noted above the AV companies do not realy have distrubution costs so there is no incentive to make them change as the cost would far out weigh the savings.

Likewise they don't have a financial insentive to release properly tested code (pick your own metrics for that ;) as long as it works "well enough" for most then the users will do the testing for them.

So not only are AV companies using long out of data techneques because there is a financial incentive to do so, they have also outsourced software testing to their customers...

As has often been said "follow the money"...

]]>
2009-11-10T17:00:24Z2009-11-10T17:00:24Ztag:www.schneier.com,2009:/blog//2.3117-comment:398659Comment from Iain on 2009-11-10Iain
"Your business will have no way to know what they're using, and -- more importantly -- you'll have no control."

Only if you choose not to have. We have remote access via Citrix but its locked down by MAC address to approved machines. Sure thats a trade off in terms of flexibility, but its not true to say you can't stop people connecting via " cell phone or PDA, or a computer in a hotel's business center."

People coming into the office and plugging in their own devices is probably more of a threat.

On AV I tried AVG for a while at home but didn't find it very easy to use - went back to Norton suite which does more and is only £20 pa.